A STEP-BY-STEP GUIDE THROUGH THE SURA INTERNAL AUDIT PROCESS
THE "STOP AND GO" AUDIT APPROACH
To maximize Audit coverage with limited Internal Audit Resources, SURA Internal Audit utilizes a "stop and go" audit approach, which focuses on continuous risk assessment throughout all audit phases, which are outlined below.
By continuously evaluating risk, we may determine at any phase of the audit, that no further work is needed to conclude on the control environment. Upon validating this conclusion with the customer, the audit may be ended and an audit report issued.
The use of this "Stop and Go" approach enables us to focus on performing value added cost effective audits.
Internal Audit facilitates discussions with operating management to identify business processes and risks. Key high-level information, including financial data and customer contact names, is obtained. Additionally, we solicit management's concerns and work with them to define expectations.
Internal Audit will analyze the business and supporting technical risks to define the audit scope and to identify key business control objectives. The business control objectives are validated with the customer to ensure that Audit's approach is in line with the business.
Internal Audit gathers information on how management is controlling risks. Through discussions and/or walk-throughs with key contacts, the Internal Audit identifies business control processes.
An assessment is then performed to ensure that the control environment is adequate. Issues or control weaknesses are communicated and validated with the customer immediately to ensure ongoing communication throughout the audit.
Internal Audit's define the testing strategy based on the assessment of the control environment and management's concerns. If testing is necessary to determine that controls are functioning effectively, detail test programs are developed.
Internal Audit executes the test programs defined above. Throughout this phase, test results are analyzed to determine if additional test work is required, or if no further testing is necessary to conclude on the sufficiency of the control environment. We ensure timely communication of issues arising as test work is executed. Issues are communicated, validated, and drafted with the customer as they are identified.
Communicating Results is not considered a separate phase. It is embedded in all of the above processes. Throughout the audit, all issues identified are validated with the customer and action plans are immediately developed by management. Audit recommendations and management responses are included in the Audit Report including an action plan of what will be done, by whom, by when, and to fix what problems. Reports are issued within 5 days from the end of fieldwork.
Customers are asked to contribute to Internal Audit's continuous improvement process by providing feedback on our Audit Client Survey . Customers are asked to provide written comments about the work performed, as well as asked to rate Internal Audit on the following key areas:
This Web site maintained by SURA